hooks: add script to remove unneeded apparmor profiles#396
hooks: add script to remove unneeded apparmor profiles#396zyga wants to merge 1 commit intocanonical:core22from
Conversation
This speeds up boot time as we prevent many calls to apparmor_parser. This patch is amended compared to the core26 counterpart, to provide the correct set of expected profiles (in this case, none). Those differ from base to base.
There was a problem hiding this comment.
Pull request overview
This PR adds a hook script to remove unneeded AppArmor profiles during the build process, along with a corresponding test to verify that no profiles remain after cleanup. This optimization reduces boot time by preventing unnecessary calls to apparmor_parser. According to the PR description, this is adapted from a core26 counterpart but modified to expect zero remaining profiles for this base.
Changes:
- Added hook script (800-remove-unneeded-profiles.chroot) that removes AppArmor profiles from /etc/apparmor.d/ if no matching binary exists in specified search directories
- Added test script (800-remove-unneeded-profiles.test) to verify that all AppArmor profiles have been removed
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| hooks/800-remove-unneeded-profiles.chroot | Hook script that iterates through AppArmor profiles and deletes those without corresponding binaries in system directories |
| hook-tests/800-remove-unneeded-profiles.test | Test script that verifies no AppArmor profiles remain after the cleanup hook executes |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| printf "Apparmor profile %s is not allowed\n" "$filename" | ||
| exit 1 | ||
| fi | ||
| done | ||
|
|
||
| if [ "$num_prof" -ne "${#allowed_profs[@]}" ]; then | ||
| # If there were more we would have failed in the loop | ||
| printf "Less number of apparmor profiles than expected\n" |
There was a problem hiding this comment.
The proper capitalization of the project name is "AppArmor" with two capital A's, not "apparmor". This should be corrected for consistency.
| printf "Apparmor profile %s is not allowed\n" "$filename" | |
| exit 1 | |
| fi | |
| done | |
| if [ "$num_prof" -ne "${#allowed_profs[@]}" ]; then | |
| # If there were more we would have failed in the loop | |
| printf "Less number of apparmor profiles than expected\n" | |
| printf "AppArmor profile %s is not allowed\n" "$filename" | |
| exit 1 | |
| fi | |
| done | |
| if [ "$num_prof" -ne "${#allowed_profs[@]}" ]; then | |
| # If there were more we would have failed in the loop | |
| printf "Less number of AppArmor profiles than expected\n" |
| if [ "$filename" = unix-chkpwd ] | ||
| then filename=unix_chkpwd |
There was a problem hiding this comment.
The if-then statement formatting is inconsistent with bash best practices. The condition and 'then' keyword should either be on the same line separated by a semicolon, or the 'then' should be on its own line. The current format with 'then' on the next line without proper indentation is unconventional.
| if [ "$filename" = unix-chkpwd ] | |
| then filename=unix_chkpwd | |
| if [ "$filename" = unix-chkpwd ]; then | |
| filename=unix_chkpwd |
| echo "Starting AppArmor profile cleanup..." | ||
|
|
||
| # Iterate through files in /etc/apparmor.d/ | ||
| for profile in "$APPARMOR_PROF_D"/*; do |
There was a problem hiding this comment.
The glob pattern expansion could cause unexpected behavior if the directory is empty or doesn't exist. When the glob doesn't match any files, it will literally pass the string "/etc/apparmor.d/*" to the loop. While the subsequent checks for directory and regular file will handle this gracefully, it's more robust to either check if the directory exists first, or use 'shopt -s nullglob' at the beginning of the script to make globs expand to nothing when they don't match.
|
|
||
| num_prof=0 | ||
|
|
||
| for profile in "$APPARMOR_PROF_D"/*; do |
There was a problem hiding this comment.
The glob pattern expansion could cause unexpected behavior if the directory is empty or doesn't exist. When the glob doesn't match any files, it will literally pass the string "etc/apparmor.d/*" to the loop. While the subsequent checks for directory and regular file will handle this gracefully, it's more robust to either check if the directory exists first, or use 'shopt -s nullglob' at the beginning of the script to make globs expand to nothing when they don't match.
| filename=$(basename "$profile") | ||
|
|
||
| # unix-chkpwd profile is actually for unix_chkpwd, fix this naming issue here | ||
| if [ "$filename" = unix-chkpwd ] |
There was a problem hiding this comment.
The string comparison should have the right-hand side quoted for consistency and safety. While it works in this case, the pattern should be if [ "$filename" = "unix-chkpwd" ] to follow best practices and prevent potential issues with special characters or word splitting.
| if [ "$filename" = unix-chkpwd ] | |
| if [ "$filename" = "unix-chkpwd" ] |
| printf "Apparmor profile %s is not allowed\n" "$filename" | ||
| exit 1 | ||
| fi | ||
| done | ||
|
|
||
| if [ "$num_prof" -ne "${#allowed_profs[@]}" ]; then | ||
| # If there were more we would have failed in the loop | ||
| printf "Less number of apparmor profiles than expected\n" |
There was a problem hiding this comment.
The proper capitalization of the project name is "AppArmor" with two capital A's, not "Apparmor". This should be corrected for consistency with the hook script (line 17 of hooks/800-remove-unneeded-profiles.chroot) and standard naming conventions.
| printf "Apparmor profile %s is not allowed\n" "$filename" | |
| exit 1 | |
| fi | |
| done | |
| if [ "$num_prof" -ne "${#allowed_profs[@]}" ]; then | |
| # If there were more we would have failed in the loop | |
| printf "Less number of apparmor profiles than expected\n" | |
| printf "AppArmor profile %s is not allowed\n" "$filename" | |
| exit 1 | |
| fi | |
| done | |
| if [ "$num_prof" -ne "${#allowed_profs[@]}" ]; then | |
| # If there were more we would have failed in the loop | |
| printf "Less number of AppArmor profiles than expected\n" |
2 participants
This speeds up boot time as we prevent many calls to apparmor_parser.
This patch is amended compared to the core26 counterpart, to provide the correct set of expected profiles (in this case, none). Those differ from base to base.